[PATCH 00/11] netfilter: nf_tables: small cleanups and netlink fixes

[PATCH 00/11] netfilter: nf_tables: small cleanups and netlink fixes

[kaber]

The following patches clean up a few minor things and fix a couple of netlink
issues:

- rename of pid to portid for consistency
- revert patch to include use attribute only sent by the kernel in nla_policy 
- move the hgenerator to the table to save a bit memory
- move the chain policy to basechains
- send netlink notifications for basechain policy changes
- introduce a chain handle and fix chain renames
- fix an invalid event type for rule GET operations
- remove ability to specify handles for new rules
- return an error for unsupported rule change requests
- return an error for rule replacement requests without a rule
- include NLM_F_APPEND/NLM_F_REPLACE in NEWRULE messages

Please apply, thanks.

[PATCH 01/11] netfilter: nf_tables: rename pid variables to portid

[kaber]

From: Patrick McHardy <kaber@trash.net>

Use consistent naming for portids.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tables_api.c | 59 ++++++++++++++++++++++---------------------
 1 Datei geändert, 30 Zeilen hinzugefügt(+), 29 Zeilen entfernt(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2253593..70ca084 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -156,7 +156,7 @@ static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
 	[NFTA_TABLE_FLAGS]	= { .type = NLA_U32 },
 };
 
-static int nf_tables_fill_table_info(struct sk_buff *skb, u32 pid, u32 seq,
+static int nf_tables_fill_table_info(struct sk_buff *skb, u32 portid, u32 seq,
 				     int event, int family,
 				     const struct nft_table *table)
 {
@@ -164,10 +164,10 @@ static int nf_tables_fill_table_info(struct sk_buff *skb, u32 pid, u32 seq,
 	struct nfgenmsg *nfmsg;
 
 	event |= NFNL_SUBSYS_NFTABLES << 8;
-	nlh = nlmsg_put(skb, pid, seq, event, sizeof(struct nfgenmsg), 0);
+	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
 	if (nlh == NULL)
 		goto nla_put_failure;
-	nlh->nlmsg_flags	= pid ? NLM_F_MULTI : 0;
+	nlh->nlmsg_flags	= portid ? NLM_F_MULTI : 0;
 
 	nfmsg = nlmsg_data(nlh);
 	nfmsg->nfgen_family	= family;
@@ -191,7 +191,7 @@ static int nf_tables_table_notify(const struct sk_buff *oskb,
 				  int event, int family)
 {
 	struct sk_buff *skb;
-	u32 pid = oskb ? NETLINK_CB(oskb).portid : 0;
+	u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
 	u32 seq = nlh ? nlh->nlmsg_seq : 0;
 	struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
 	bool report;
@@ -206,17 +206,17 @@ static int nf_tables_table_notify(const struct sk_buff *oskb,
 	if (skb == NULL)
 		goto err;
 
-	err = nf_tables_fill_table_info(skb, pid, seq, event, family, table);
+	err = nf_tables_fill_table_info(skb, portid, seq, event, family, table);
 	if (err < 0) {
 		kfree_skb(skb);
 		goto err;
 	}
 
-	err = nfnetlink_send(skb, net, pid, NFNLGRP_NFTABLES, report,
+	err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
 			     GFP_KERNEL);
 err:
 	if (err < 0)
-		nfnetlink_set_err(net, pid, NFNLGRP_NFTABLES, err);
+		nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
 	return err;
 }
 
@@ -507,7 +507,7 @@ static const struct nla_policy nft_hook_policy[NFTA_HOOK_MAX + 1] = {
 	[NFTA_HOOK_PRIORITY]	= { .type = NLA_U32 },
 };
 
-static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 pid, u32 seq,
+static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
 				     int event, int family,
 				     const struct nft_table *table,
 				     const struct nft_chain *chain)
@@ -516,10 +516,10 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 pid, u32 seq,
 	struct nfgenmsg *nfmsg;
 
 	event |= NFNL_SUBSYS_NFTABLES << 8;
-	nlh = nlmsg_put(skb, pid, seq, event, sizeof(struct nfgenmsg), 0);
+	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
 	if (nlh == NULL)
 		goto nla_put_failure;
-	nlh->nlmsg_flags	= pid ? NLM_F_MULTI : 0;
+	nlh->nlmsg_flags	= portid ? NLM_F_MULTI : 0;
 
 	nfmsg = nlmsg_data(nlh);
 	nfmsg->nfgen_family	= family;
@@ -567,7 +567,7 @@ static int nf_tables_chain_notify(const struct sk_buff *oskb,
 				  int event, int family)
 {
 	struct sk_buff *skb;
-	u32 pid = oskb ? NETLINK_CB(oskb).portid : 0;
+	u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
 	u32 seq = nlh ? nlh->nlmsg_seq : 0;
 	struct net *net = oskb ? sock_net(oskb->sk) : &init_net;
 	bool report;
@@ -582,18 +582,18 @@ static int nf_tables_chain_notify(const struct sk_buff *oskb,
 	if (skb == NULL)
 		goto err;
 
-	err = nf_tables_fill_chain_info(skb, pid, seq, event, family, table,
+	err = nf_tables_fill_chain_info(skb, portid, seq, event, family, table,
 					chain);
 	if (err < 0) {
 		kfree_skb(skb);
 		goto err;
 	}
 
-	err = nfnetlink_send(skb, net, pid, NFNLGRP_NFTABLES, report,
+	err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
 			     GFP_KERNEL);
 err:
 	if (err < 0)
-		nfnetlink_set_err(net, pid, NFNLGRP_NFTABLES, err);
+		nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
 	return err;
 }
 
@@ -1130,7 +1130,7 @@ static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
 	[NFTA_RULE_EXPRESSIONS]	= { .type = NLA_NESTED },
 };
 
-static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 pid, u32 seq,
+static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
 				    int event, int family,
 				    const struct nft_table *table,
 				    const struct nft_chain *chain,
@@ -1142,10 +1142,10 @@ static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 pid, u32 seq,
 	struct nlattr *list;
 
 	event |= NFNL_SUBSYS_NFTABLES << 8;
-	nlh = nlmsg_put(skb, pid, seq, event, sizeof(struct nfgenmsg), 0);
+	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
 	if (nlh == NULL)
 		goto nla_put_failure;
-	nlh->nlmsg_flags	= pid ? NLM_F_MULTI : 0;
+	nlh->nlmsg_flags	= portid ? NLM_F_MULTI : 0;
 
 	nfmsg = nlmsg_data(nlh);
 	nfmsg->nfgen_family	= family;
@@ -1187,7 +1187,7 @@ static int nf_tables_rule_notify(const struct sk_buff *oskb,
 				 int event, int family)
 {
 	struct sk_buff *skb;
-	u32 pid = NETLINK_CB(oskb).portid;
+	u32 portid = NETLINK_CB(oskb).portid;
 	u32 seq = nlh->nlmsg_seq;
 	struct net *net = sock_net(oskb->sk);
 	bool report;
@@ -1202,18 +1202,18 @@ static int nf_tables_rule_notify(const struct sk_buff *oskb,
 	if (skb == NULL)
 		goto err;
 
-	err = nf_tables_fill_rule_info(skb, pid, seq, event,
+	err = nf_tables_fill_rule_info(skb, portid, seq, event,
 				       family, table, chain, rule);
 	if (err < 0) {
 		kfree_skb(skb);
 		goto err;
 	}
 
-	err = nfnetlink_send(skb, net, pid, NFNLGRP_NFTABLES, report,
+	err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
 			     GFP_KERNEL);
 err:
 	if (err < 0)
-		nfnetlink_set_err(net, pid, NFNLGRP_NFTABLES, err);
+		nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
 	return err;
 }
 
@@ -1643,11 +1643,12 @@ static int nf_tables_fill_set(struct sk_buff *skb, const struct nft_ctx *ctx,
 {
 	struct nfgenmsg *nfmsg;
 	struct nlmsghdr *nlh;
-	u32 pid = NETLINK_CB(ctx->skb).portid;
+	u32 portid = NETLINK_CB(ctx->skb).portid;
 	u32 seq = ctx->nlh->nlmsg_seq;
 
 	event |= NFNL_SUBSYS_NFTABLES << 8;
-	nlh = nlmsg_put(skb, pid, seq, event, sizeof(struct nfgenmsg), flags);
+	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
+			flags);
 	if (nlh == NULL)
 		goto nla_put_failure;
 
@@ -1687,7 +1688,7 @@ static int nf_tables_set_notify(const struct nft_ctx *ctx,
 				int event)
 {
 	struct sk_buff *skb;
-	u32 pid = NETLINK_CB(ctx->skb).portid;
+	u32 portid = NETLINK_CB(ctx->skb).portid;
 	struct net *net = sock_net(ctx->skb->sk);
 	bool report;
 	int err;
@@ -1707,11 +1708,11 @@ static int nf_tables_set_notify(const struct nft_ctx *ctx,
 		goto err;
 	}
 
-	err = nfnetlink_send(skb, net, pid, NFNLGRP_NFTABLES, report,
+	err = nfnetlink_send(skb, net, portid, NFNLGRP_NFTABLES, report,
 			     GFP_KERNEL);
 err:
 	if (err < 0)
-		nfnetlink_set_err(net, pid, NFNLGRP_NFTABLES, err);
+		nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, err);
 	return err;
 }
 
@@ -2113,7 +2114,7 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
 	struct nfgenmsg *nfmsg;
 	struct nlmsghdr *nlh;
 	struct nlattr *nest;
-	u32 pid, seq;
+	u32 portid, seq;
 	int event, err;
 
 	nfmsg = nlmsg_data(cb->nlh);
@@ -2132,10 +2133,10 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
 
 	event  = NFT_MSG_NEWSETELEM;
 	event |= NFNL_SUBSYS_NFTABLES << 8;
-	pid    = NETLINK_CB(cb->skb).portid;
+	portid = NETLINK_CB(cb->skb).portid;
 	seq    = cb->nlh->nlmsg_seq;
 
-	nlh = nlmsg_put(skb, pid, seq, event, sizeof(struct nfgenmsg),
+	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
 			NLM_F_MULTI);
 	if (nlh == NULL)
 		goto nla_put_failure;
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 02/11] netfilter: nf_tables: revert commit 2a3c360f

[kaber]

From: Patrick McHardy <kaber@trash.net>

Commit 2a3c360f (netfilter: nf_tables: Add missing policy for NFTA_CHAIN_USE)
added NFTA_CHAIN_USE to the nft_chain_policy. This is useless since the
NFTA_CHAIN_USE attribute is only sent by the kernel, never received.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tables_api.c | 1 -
 1 Datei geändert, 1 Zeile entfernt(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 70ca084..63d71e7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -496,7 +496,6 @@ static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
 	[NFTA_CHAIN_TABLE]	= { .type = NLA_STRING },
 	[NFTA_CHAIN_HOOK]	= { .type = NLA_NESTED },
 	[NFTA_CHAIN_POLICY]	= { .type = NLA_U32 },
-	[NFTA_CHAIN_USE]	= { .type = NLA_U32 },
 	[NFTA_CHAIN_NEW_NAME]	= { .type = NLA_STRING,
 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
 	[NFTA_CHAIN_TYPE]	= { .type = NLA_NUL_STRING },
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 03/11] netfilter: nf_tables: move hgenerator from chain to table

[kaber]

From: Patrick McHardy <kaber@trash.net>

With 48 bits rule handles, there's no risk of overflowing even when the
handles are unique per table and not per chain. Save a few bytes in the
chain structure and move the hgenerator to the table.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 include/net/netfilter/nf_tables.h | 4 ++--
 net/netfilter/nf_tables_api.c     | 8 ++++----
 2 Dateien geändert, 6 Zeilen hinzugefügt(+), 6 Zeilen entfernt(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 99c500f..86fd951 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -349,7 +349,6 @@ enum nft_chain_flags {
  *	@flags: bitmask of enum nft_chain_flags
  *	@use: number of jump references to this chain
  *	@level: length of longest path to this chain
- *	@hgenerator: handle generator state
  *	@name: name of the chain
  */
 struct nft_chain {
@@ -359,7 +358,6 @@ struct nft_chain {
 	u8				policy;
 	u16				use;
 	u16				level;
-	u64				hgenerator;
 	char				name[NFT_CHAIN_MAXNAMELEN];
 };
 
@@ -400,12 +398,14 @@ extern unsigned int nft_do_chain(const struct nf_hook_ops *ops,
  *	@chains: chains in the table
  *	@sets: sets in the table
  *	@flags: table flag (see enum nft_table_flags)
+ *	@hgenerator: handle generator state
  *	@name: name of the table
  */
 struct nft_table {
 	struct list_head		list;
 	struct list_head		chains;
 	struct list_head		sets;
+	u64				hgenerator;
 	u16				flags;
 	char				name[];
 };
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 63d71e7..9768881 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1116,9 +1116,9 @@ static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
 	return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
 }
 
-static inline u64 nf_tables_rule_alloc_handle(struct nft_chain *chain)
+static inline u64 nf_tables_rule_alloc_handle(struct nft_table *table)
 {
-	return ++chain->hgenerator;
+	return ++table->hgenerator;
 }
 
 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
@@ -1338,7 +1338,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 {
 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
 	const struct nft_af_info *afi;
-	const struct nft_table *table;
+	struct nft_table *table;
 	struct nft_chain *chain;
 	struct nft_rule *rule, *old_rule = NULL;
 	struct nft_expr_info info[NFT_RULE_MAXEXPRS];
@@ -1383,7 +1383,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 				return 0;
 		}
 	} else
-		handle = nf_tables_rule_alloc_handle(chain);
+		handle = nf_tables_rule_alloc_handle(table);
 
 	if (handle == 0)
 		return -EINVAL;
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 04/11] netfilter: nf_tables: move policy to struct nft_base_chain

[kaber]

From: Patrick McHardy <kaber@trash.net>

Non-base-chains can not have a policy, so move the policy member
to struct nft_base_chain. Also return an error when trying to add
a policy to a non-base-chain.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 include/net/netfilter/nf_tables.h |  4 +++-
 net/netfilter/nf_tables_api.c     | 26 +++++++++++++++-----------
 net/netfilter/nf_tables_core.c    |  2 +-
 3 Dateien geändert, 19 Zeilen hinzugefügt(+), 13 Zeilen entfernt(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 86fd951..d1a8e9e 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -355,7 +355,6 @@ struct nft_chain {
 	struct list_head		rules;
 	struct list_head		list;
 	u8				flags;
-	u8				policy;
 	u16				use;
 	u16				level;
 	char				name[NFT_CHAIN_MAXNAMELEN];
@@ -372,11 +371,14 @@ enum nft_chain_type {
  *	struct nft_base_chain - nf_tables base chain
  *
  *	@ops: netfilter hook ops
+ *	@type: chain type
+ *	@policy: default policy
  *	@chain: the chain
  */
 struct nft_base_chain {
 	struct nf_hook_ops		ops;
 	enum nft_chain_type		type;
+	u8				policy;
 	struct nft_chain		chain;
 };
 
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9768881..11502db 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -531,8 +531,11 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
 		goto nla_put_failure;
 
 	if (chain->flags & NFT_BASE_CHAIN) {
-		const struct nf_hook_ops *ops = &nft_base_chain(chain)->ops;
-		struct nlattr *nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
+		const struct nft_base_chain *basechain = nft_base_chain(chain);
+		const struct nf_hook_ops *ops = &basechain->ops;
+		struct nlattr *nest;
+
+		nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
 		if (nest == NULL)
 			goto nla_put_failure;
 		if (nla_put_be32(skb, NFTA_HOOK_HOOKNUM, htonl(ops->hooknum)))
@@ -541,7 +544,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
 			goto nla_put_failure;
 		nla_nest_end(skb, nest);
 
-		if (nla_put_be32(skb, NFTA_CHAIN_POLICY, htonl(chain->policy)))
+		if (nla_put_be32(skb, NFTA_CHAIN_POLICY,
+				 htonl(basechain->policy)))
 			goto nla_put_failure;
 
 		if (nla_put_string(skb, NFTA_CHAIN_TYPE,
@@ -682,7 +686,7 @@ err:
 }
 
 static int
-nf_tables_chain_policy(struct nft_chain *chain, const struct nlattr *attr)
+nf_tables_chain_policy(struct nft_base_chain *chain, const struct nlattr *attr)
 {
 	switch (ntohl(nla_get_be32(attr))) {
 	case NF_DROP:
@@ -776,8 +780,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
 			return nf_tables_mvchain(skb, nlh, table, chain, nla);
 
-		if ((chain->flags & NFT_BASE_CHAIN) && nla[NFTA_CHAIN_POLICY]) {
-			return nf_tables_chain_policy(chain,
+		if (nla[NFTA_CHAIN_POLICY]) {
+			if (!(chain->flags & NFT_BASE_CHAIN))
+				return -EOPNOTSUPP;
+			return nf_tables_chain_policy(nft_base_chain(chain),
 						      nla[NFTA_CHAIN_POLICY]);
 		}
 		return 0;
@@ -830,23 +836,21 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
 		if (afi->hooks[ops->hooknum])
 			ops->hook = afi->hooks[ops->hooknum];
 
-		chain->policy = NF_ACCEPT;
 		chain->flags |= NFT_BASE_CHAIN;
 
 		if (nla[NFTA_CHAIN_POLICY]) {
-			err = nf_tables_chain_policy(chain,
+			err = nf_tables_chain_policy(basechain,
 						     nla[NFTA_CHAIN_POLICY]);
 			if (err < 0) {
 				kfree(basechain);
 				return err;
 			}
-		}
+		} else
+			basechain->policy = NF_ACCEPT;
 	} else {
 		chain = kzalloc(sizeof(*chain), GFP_KERNEL);
 		if (chain == NULL)
 			return -ENOMEM;
-
-		chain->policy = NF_ACCEPT;
 	}
 
 	INIT_LIST_HEAD(&chain->rules);
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 65e5385..a860769 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -136,7 +136,7 @@ next_rule:
 		goto next_rule;
 	}
 
-	return chain->policy;
+	return nft_base_chain(chain)->policy;
 }
 EXPORT_SYMBOL_GPL(nft_do_chain);
 
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 05/11] netfilter: nf_tables: send notifications for base chain policy changes

[kaber]

From: Patrick McHardy <kaber@trash.net>

Fix missing netlink notification for policy changes.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tables_api.c | 10 ++++++----
 1 Datei geändert, 6 Zeilen hinzugefügt(+), 4 Zeilen entfernt(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 11502db..4b36b0a 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -783,10 +783,12 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
 		if (nla[NFTA_CHAIN_POLICY]) {
 			if (!(chain->flags & NFT_BASE_CHAIN))
 				return -EOPNOTSUPP;
-			return nf_tables_chain_policy(nft_base_chain(chain),
-						      nla[NFTA_CHAIN_POLICY]);
+			err = nf_tables_chain_policy(nft_base_chain(chain),
+						     nla[NFTA_CHAIN_POLICY]);
+			if (err < 0)
+				return err;
 		}
-		return 0;
+		goto notify;
 	}
 
 	if (nla[NFTA_CHAIN_HOOK]) {
@@ -866,7 +868,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
 			return err;
 		}
 	}
-
+notify:
 	nf_tables_chain_notify(skb, nlh, table, chain, NFT_MSG_NEWCHAIN,
 			       family);
 	return 0;
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 06/11] netfilter: nf_tables: introduce chain handles and fix chain rename

[kaber]

From: Patrick McHardy <kaber@trash.net>

Add a chain handle as an alternative way to identify a chain for renames.
The handle is constant, while the name might change.

Kill the NFTA_CHAIN_NEW_NAME attribute since netlink attributes are
supposed to be symetrical. Also fix netlink notification to not send
a DELCHAIN/NEWCHAIN message for renames but a simple NEWCHAIN with
the old handle and the new name.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 include/linux/netfilter/nf_tables.h |   2 +-
 include/net/netfilter/nf_tables.h   |   2 +
 net/netfilter/nf_tables_api.c       | 100 ++++++++++++++++--------------------
 3 Dateien geändert, 48 Zeilen hinzugefügt(+), 56 Zeilen entfernt(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 5a6eefe..7640290 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -75,11 +75,11 @@ enum nft_table_attributes {
 enum nft_chain_attributes {
 	NFTA_CHAIN_UNSPEC,
 	NFTA_CHAIN_TABLE,
+	NFTA_CHAIN_HANDLE,
 	NFTA_CHAIN_NAME,
 	NFTA_CHAIN_HOOK,
 	NFTA_CHAIN_POLICY,
 	NFTA_CHAIN_USE,
-	NFTA_CHAIN_NEW_NAME,
 	NFTA_CHAIN_TYPE,
 	__NFTA_CHAIN_MAX
 };
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index d1a8e9e..e7dc1da 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -346,6 +346,7 @@ enum nft_chain_flags {
  *
  *	@rules: list of rules in the chain
  *	@list: used internally
+ *	@handle: chain handle
  *	@flags: bitmask of enum nft_chain_flags
  *	@use: number of jump references to this chain
  *	@level: length of longest path to this chain
@@ -354,6 +355,7 @@ enum nft_chain_flags {
 struct nft_chain {
 	struct list_head		rules;
 	struct list_head		list;
+	u64				handle;
 	u8				flags;
 	u16				use;
 	u16				level;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 4b36b0a..bc4eb76 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -118,6 +118,11 @@ static struct nft_table *nf_tables_table_lookup(const struct nft_af_info *afi,
 	return ERR_PTR(-ENOENT);
 }
 
+static inline u64 nf_tables_alloc_handle(struct nft_table *table)
+{
+	return ++table->hgenerator;
+}
+
 static struct nf_chain_type *chain_type[AF_MAX][NFT_CHAIN_T_MAX];
 
 static int __nf_tables_chain_type_lookup(int family, const struct nlattr *nla)
@@ -474,6 +479,19 @@ EXPORT_SYMBOL_GPL(nft_unregister_chain_type);
  * Chains
  */
 
+static struct nft_chain *
+nf_tables_chain_lookup_byhandle(const struct nft_table *table, u64 handle)
+{
+	struct nft_chain *chain;
+
+	list_for_each_entry(chain, &table->chains, list) {
+		if (chain->handle == handle)
+			return chain;
+	}
+
+	return ERR_PTR(-ENOENT);
+}
+
 static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
 						const struct nlattr *nla)
 {
@@ -491,13 +509,12 @@ static struct nft_chain *nf_tables_chain_lookup(const struct nft_table *table,
 }
 
 static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
+	[NFTA_CHAIN_HANDLE]	= { .type = NLA_U64 },
 	[NFTA_CHAIN_NAME]	= { .type = NLA_STRING,
 				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
 	[NFTA_CHAIN_TABLE]	= { .type = NLA_STRING },
 	[NFTA_CHAIN_HOOK]	= { .type = NLA_NESTED },
 	[NFTA_CHAIN_POLICY]	= { .type = NLA_U32 },
-	[NFTA_CHAIN_NEW_NAME]	= { .type = NLA_STRING,
-				    .len = NFT_CHAIN_MAXNAMELEN - 1 },
 	[NFTA_CHAIN_TYPE]	= { .type = NLA_NUL_STRING },
 };
 
@@ -527,6 +544,8 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, u32 portid, u32 seq,
 
 	if (nla_put_string(skb, NFTA_CHAIN_TABLE, table->name))
 		goto nla_put_failure;
+	if (nla_put_be64(skb, NFTA_CHAIN_HANDLE, cpu_to_be64(chain->handle)))
+		goto nla_put_failure;
 	if (nla_put_string(skb, NFTA_CHAIN_NAME, chain->name))
 		goto nla_put_failure;
 
@@ -701,58 +720,19 @@ nf_tables_chain_policy(struct nft_base_chain *chain, const struct nlattr *attr)
 	return 0;
 }
 
-static int nf_tables_mvchain(struct sk_buff *skb, const struct nlmsghdr *nlh,
-			     struct nft_table *table,
-			     struct nft_chain *chain,
-			     const struct nlattr * const nla[])
-{
-	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
-	int family = nfmsg->nfgen_family;
-	struct nft_chain *new_chain;
-	struct nft_chain old_chain;
-
-	if (!nla[NFTA_CHAIN_NEW_NAME])
-		return -EINVAL;
-
-	if (chain->flags & NFT_BASE_CHAIN)
-		return -EOPNOTSUPP;
-
-	new_chain = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NEW_NAME]);
-	if (IS_ERR(new_chain)) {
-		if (PTR_ERR(new_chain) != -ENOENT)
-			return PTR_ERR(new_chain);
-		new_chain = NULL;
-	}
-
-	if (new_chain != NULL)
-		return -EEXIST;
-
-	new_chain = chain;
-
-	nla_strlcpy(old_chain.name,
-		    nla[NFTA_CHAIN_NAME], NFT_CHAIN_MAXNAMELEN);
-	nla_strlcpy(new_chain->name,
-		    nla[NFTA_CHAIN_NEW_NAME], NFT_CHAIN_MAXNAMELEN);
-
-	nf_tables_chain_notify(skb, nlh, table, &old_chain, NFT_MSG_DELCHAIN,
-			       family);
-	nf_tables_chain_notify(skb, nlh, table, new_chain, NFT_MSG_NEWCHAIN,
-			       family);
-	return 0;
-}
-
 static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
 			      const struct nlmsghdr *nlh,
 			      const struct nlattr * const nla[])
 {
 	const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
-	const struct nlattr *name;
+	const struct nlattr * uninitialized_var(name);
 	const struct nft_af_info *afi;
 	struct nft_table *table;
 	struct nft_chain *chain;
 	struct nft_base_chain *basechain = NULL;
 	struct nlattr *ha[NFTA_HOOK_MAX + 1];
 	int family = nfmsg->nfgen_family;
+	u64 handle = 0;
 	int err;
 	bool create;
 
@@ -766,28 +746,42 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
 	if (IS_ERR(table))
 		return PTR_ERR(table);
 
-	name = nla[NFTA_CHAIN_NAME];
-	chain = nf_tables_chain_lookup(table, name);
-	if (IS_ERR(chain)) {
-		if (PTR_ERR(chain) != -ENOENT)
+	chain = NULL;
+	if (nla[NFTA_CHAIN_HANDLE]) {
+		handle = be64_to_cpu(nla_get_be64(nla[NFTA_CHAIN_HANDLE]));
+		chain = nf_tables_chain_lookup_byhandle(table, handle);
+		if (IS_ERR(chain))
 			return PTR_ERR(chain);
-		chain = NULL;
+	} else {
+		name = nla[NFTA_CHAIN_NAME];
+		chain = nf_tables_chain_lookup(table, name);
+		if (IS_ERR(chain)) {
+			if (PTR_ERR(chain) != -ENOENT)
+				return PTR_ERR(chain);
+			chain = NULL;
+		}
 	}
 
 	if (chain != NULL) {
 		if (nlh->nlmsg_flags & NLM_F_EXCL)
 			return -EEXIST;
 		if (nlh->nlmsg_flags & NLM_F_REPLACE)
-			return nf_tables_mvchain(skb, nlh, table, chain, nla);
+			return -EOPNOTSUPP;
 
 		if (nla[NFTA_CHAIN_POLICY]) {
 			if (!(chain->flags & NFT_BASE_CHAIN))
 				return -EOPNOTSUPP;
+
 			err = nf_tables_chain_policy(nft_base_chain(chain),
 						     nla[NFTA_CHAIN_POLICY]);
 			if (err < 0)
 				return err;
 		}
+
+		if (nla[NFTA_CHAIN_HANDLE] && nla[NFTA_CHAIN_NAME])
+			nla_strlcpy(chain->name, nla[NFTA_CHAIN_NAME],
+				    NFT_CHAIN_MAXNAMELEN);
+
 		goto notify;
 	}
 
@@ -856,6 +850,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
 	}
 
 	INIT_LIST_HEAD(&chain->rules);
+	chain->handle = nf_tables_alloc_handle(table);
 	nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
 
 	list_add_tail(&chain->list, &table->chains);
@@ -1122,11 +1117,6 @@ static struct nft_rule *nf_tables_rule_lookup(const struct nft_chain *chain,
 	return __nf_tables_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla)));
 }
 
-static inline u64 nf_tables_rule_alloc_handle(struct nft_table *table)
-{
-	return ++table->hgenerator;
-}
-
 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
 	[NFTA_RULE_TABLE]	= { .type = NLA_STRING },
 	[NFTA_RULE_CHAIN]	= { .type = NLA_STRING,
@@ -1389,7 +1379,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 				return 0;
 		}
 	} else
-		handle = nf_tables_rule_alloc_handle(table);
+		handle = nf_tables_alloc_handle(table);
 
 	if (handle == 0)
 		return -EINVAL;
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 07/11] netfilter: nf_tables: fix invalid event type in nf_tables_getrule()

[kaber]

From: Patrick McHardy <kaber@trash.net>

The event type should be NFT_MSG_NEWRULE, not NFT_MSG_NEWCHAIN.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tables_api.c | 2 +-
 1 Datei geändert, 1 Zeile hinzugefügt(+), 1 Zeile entfernt(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index bc4eb76..afda73f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1292,7 +1292,7 @@ static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
 		return -ENOMEM;
 
 	err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
-				       nlh->nlmsg_seq, NFT_MSG_NEWCHAIN,
+				       nlh->nlmsg_seq, NFT_MSG_NEWRULE,
 				       family, table, chain, rule);
 	if (err < 0)
 		goto err;
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 08/11] netfilter: nf_tables: remove ability to specify handles for new rules

[kaber]

From: Patrick McHardy <kaber@trash.net>

Does not serve any useful purpose, simply remove it. Also return an
error if neither a handle nor NLM_F_CREATE is specified.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tables_api.c | 31 +++++++++++++------------------
 1 Datei geändert, 13 Zeilen hinzugefügt(+), 18 Zeilen entfernt(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index afda73f..bacd417 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1363,26 +1363,21 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 	if (nla[NFTA_RULE_HANDLE]) {
 		handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE]));
 		rule = __nf_tables_rule_lookup(chain, handle);
-		if (IS_ERR(rule)) {
-			if (PTR_ERR(rule) != -ENOENT)
-				return PTR_ERR(rule);
-			rule = NULL;
-		}
+		if (IS_ERR(rule))
+			return PTR_ERR(rule);
 
-		if (rule != NULL) {
-			if (nlh->nlmsg_flags & NLM_F_EXCL)
-				return -EEXIST;
-			if (nlh->nlmsg_flags & NLM_F_REPLACE) {
-				old_rule = rule;
-				rule = NULL;
-			} else
-				return 0;
-		}
-	} else
+		if (nlh->nlmsg_flags & NLM_F_EXCL)
+			return -EEXIST;
+		if (nlh->nlmsg_flags & NLM_F_REPLACE) {
+			old_rule = rule;
+			rule = NULL;
+		} else
+			return 0;
+	} else {
+		if (!create)
+			return -EINVAL;
 		handle = nf_tables_alloc_handle(table);
-
-	if (handle == 0)
-		return -EINVAL;
+	}
 
 	n = 0;
 	size = 0;
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 09/11] netfilter: nf_tables: return error for rule change request

[kaber]

From: Patrick McHardy <kaber@trash.net>

We only support full replacement, not change of a rule.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tables_api.c | 2 +-
 1 Datei geändert, 1 Zeile hinzugefügt(+), 1 Zeile entfernt(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index bacd417..c91f638 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1372,7 +1372,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 			old_rule = rule;
 			rule = NULL;
 		} else
-			return 0;
+			return -EOPNOTSUPP;
 	} else {
 		if (!create)
 			return -EINVAL;
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 10/11] netfilter: nf_tables: return error for NLM_F_REPLACE without rule handle

[kaber]

From: Patrick McHardy <kaber@trash.net>

Return an error when NLM_F_REPLACE is given without the handle of the
rule to replace.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tables_api.c | 10 +++-------
 1 Datei geändert, 3 Zeilen hinzugefügt(+), 7 Zeilen entfernt(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c91f638..bbd463e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1368,13 +1368,12 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 
 		if (nlh->nlmsg_flags & NLM_F_EXCL)
 			return -EEXIST;
-		if (nlh->nlmsg_flags & NLM_F_REPLACE) {
+		if (nlh->nlmsg_flags & NLM_F_REPLACE)
 			old_rule = rule;
-			rule = NULL;
-		} else
+		else
 			return -EOPNOTSUPP;
 	} else {
-		if (!create)
+		if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
 			return -EINVAL;
 		handle = nf_tables_alloc_handle(table);
 	}
@@ -1415,9 +1414,6 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 	}
 
 	if (nlh->nlmsg_flags & NLM_F_REPLACE) {
-		if (old_rule == NULL)
-			goto err2;
-
 		list_replace_rcu(&old_rule->list, &rule->list);
 
 		nf_tables_rule_notify(skb, nlh, table, chain, old_rule,
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 11/11] netfilter: nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification

[kaber]

From: Patrick McHardy <kaber@trash.net>

Since the ruleset is ordered, userspace needs to know about NLM_F_APPEND to
properly interpret a NEWRULE message. In case of replacement we usually don't
send a DELX+NEWX message but a NEWX message with the NLM_F_REPLACE flag.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_tables_api.c | 21 ++++++++++-----------
 1 Datei geändert, 10 Zeilen hinzugefügt(+), 11 Zeilen entfernt(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index bbd463e..c4e4baa 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1126,7 +1126,7 @@ static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = {
 };
 
 static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
-				    int event, int family,
+				    int event, u32 flags, int family,
 				    const struct nft_table *table,
 				    const struct nft_chain *chain,
 				    const struct nft_rule *rule)
@@ -1137,7 +1137,8 @@ static int nf_tables_fill_rule_info(struct sk_buff *skb, u32 portid, u32 seq,
 	struct nlattr *list;
 
 	event |= NFNL_SUBSYS_NFTABLES << 8;
-	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg), 0);
+	nlh = nlmsg_put(skb, portid, seq, event, sizeof(struct nfgenmsg),
+			flags);
 	if (nlh == NULL)
 		goto nla_put_failure;
 	nlh->nlmsg_flags	= portid ? NLM_F_MULTI : 0;
@@ -1179,7 +1180,7 @@ static int nf_tables_rule_notify(const struct sk_buff *oskb,
 				 const struct nft_table *table,
 				 const struct nft_chain *chain,
 				 const struct nft_rule *rule,
-				 int event, int family)
+				 int event, u32 flags, int family)
 {
 	struct sk_buff *skb;
 	u32 portid = NETLINK_CB(oskb).portid;
@@ -1197,7 +1198,7 @@ static int nf_tables_rule_notify(const struct sk_buff *oskb,
 	if (skb == NULL)
 		goto err;
 
-	err = nf_tables_fill_rule_info(skb, portid, seq, event,
+	err = nf_tables_fill_rule_info(skb, portid, seq, event, flags,
 				       family, table, chain, rule);
 	if (err < 0) {
 		kfree_skb(skb);
@@ -1237,7 +1238,7 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
 						       sizeof(cb->args) - sizeof(cb->args[0]));
 					if (nf_tables_fill_rule_info(skb, NETLINK_CB(cb->skb).portid,
 								      cb->nlh->nlmsg_seq,
-								      NFT_MSG_NEWRULE,
+								      NFT_MSG_NEWRULE, 0,
 								      afi->family, table, chain, rule) < 0)
 						goto done;
 cont:
@@ -1292,7 +1293,7 @@ static int nf_tables_getrule(struct sock *nlsk, struct sk_buff *skb,
 		return -ENOMEM;
 
 	err = nf_tables_fill_rule_info(skb2, NETLINK_CB(skb).portid,
-				       nlh->nlmsg_seq, NFT_MSG_NEWRULE,
+				       nlh->nlmsg_seq, NFT_MSG_NEWRULE, 0,
 				       family, table, chain, rule);
 	if (err < 0)
 		goto err;
@@ -1415,9 +1416,6 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 
 	if (nlh->nlmsg_flags & NLM_F_REPLACE) {
 		list_replace_rcu(&old_rule->list, &rule->list);
-
-		nf_tables_rule_notify(skb, nlh, table, chain, old_rule,
-				      NFT_MSG_DELRULE, nfmsg->nfgen_family);
 		nf_tables_rule_destroy(old_rule);
 	} else if (nlh->nlmsg_flags & NLM_F_APPEND)
 		list_add_tail_rcu(&rule->list, &chain->rules);
@@ -1425,6 +1423,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 		list_add_rcu(&rule->list, &chain->rules);
 
 	nf_tables_rule_notify(skb, nlh, table, chain, rule, NFT_MSG_NEWRULE,
+			      nlh->nlmsg_flags & (NLM_F_APPEND | NLM_F_REPLACE),
 			      nfmsg->nfgen_family);
 	return 0;
 
@@ -1470,7 +1469,7 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
 		list_del_rcu(&rule->list);
 
 		nf_tables_rule_notify(skb, nlh, table, chain, rule,
-				      NFT_MSG_DELRULE, family);
+				      NFT_MSG_DELRULE, 0, family);
 		nf_tables_rule_destroy(rule);
 	} else {
 		/* Remove all rules in this chain */
@@ -1478,7 +1477,7 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
 			list_del_rcu(&rule->list);
 
 			nf_tables_rule_notify(skb, nlh, table, chain, rule,
-					      NFT_MSG_DELRULE, family);
+					      NFT_MSG_DELRULE, 0, family);
 			nf_tables_rule_destroy(rule);
 		}
 	}
-- 
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 00/11] netfilter: nf_tables: small cleanups and netlink fixes

[Pablo Neira Ayuso]

On Wed, Dec 12, 2012 at 07:47:30PM +0100, kaber@trash.net wrote:
> The following patches clean up a few minor things and fix a couple of netlink
> issues:
> 
> - rename of pid to portid for consistency
> - revert patch to include use attribute only sent by the kernel in nla_policy 
> - move the hgenerator to the table to save a bit memory
> - move the chain policy to basechains
> - send netlink notifications for basechain policy changes
> - introduce a chain handle and fix chain renames
> - fix an invalid event type for rule GET operations
> - remove ability to specify handles for new rules
> - return an error for unsupported rule change requests
> - return an error for rule replacement requests without a rule
> - include NLM_F_APPEND/NLM_F_REPLACE in NEWRULE messages
> 
> Please apply, thanks.

All applied, thanks a lot Patrick.